SAML-Toolkits · pitbulk · Jan 31, 2022 · Jan 31, 2022
diff --git a/lib/onelogin/ruby-saml/utils.rb b/lib/onelogin/ruby-saml/utils.rb
@@ -32,6 +32,7 @@ class Utils
           (\d+)W                    # 8: Weeks
         )
       $)x.freeze
+      UUID_PREFIX = '_'
 
       # Checks if the x509 cert provided is expired
       #
@@ -333,8 +334,12 @@ def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm)
         end
       end
 
+      def self.set_prefix(value)
+        UUID_PREFIX.replace value
+      end
+
       def self.uuid
-        RUBY_VERSION < '1.9' ? "_#{@@uuid_generator.generate}" : "_#{SecureRandom.uuid}"
+        "#{UUID_PREFIX}" + (RUBY_VERSION < '1.9' ? "#{@@uuid_generator.generate}" : "#{SecureRandom.uuid}")
       end
 
       # Given two strings, attempt to match them as URIs using Rails' parse method.  If they can be parsed,

diff --git a/test/logoutrequest_test.rb b/test/logoutrequest_test.rb
@@ -94,6 +94,21 @@ class RequestTest < Minitest::Test
       end
     end
 
+    describe "playgin with preix" do
+      it "creates request with ID prefixed with default '_'" do
+        request = OneLogin::RubySaml::Logoutrequest.new
+
+        assert_match /^_/, request.uuid
+      end
+
+      it "creates request with ID is prefixed, when :id_prefix is passed" do
+        OneLogin::RubySaml::Utils::set_prefix("test")
+        request = OneLogin::RubySaml::Logoutrequest.new
+        assert_match /^test/, request.uuid
+        OneLogin::RubySaml::Utils::set_prefix("_")
+      end
+    end
+
     describe "signing with HTTP-POST binding" do
 
       before do

diff --git a/test/request_test.rb b/test/request_test.rb
@@ -161,6 +161,19 @@ class RequestTest < Minitest::Test
       assert auth_url.include?('&RelayState=http%3A%2F%2Fexample.com')
     end
 
+    it "creates request with ID prefixed with default '_'" do
+      request = OneLogin::RubySaml::Authrequest.new
+
+      assert_match /^_/, request.uuid
+    end
+
+    it "creates request with ID is prefixed, when :id_prefix is passed" do
+      OneLogin::RubySaml::Utils::set_prefix("test")
+      request = OneLogin::RubySaml::Authrequest.new
+      assert_match /^test/, request.uuid
+      OneLogin::RubySaml::Utils::set_prefix("_")
+    end
+
     describe "when the target url is not set" do
       before do
         settings.idp_sso_service_url = nil

diff --git a/test/slo_logoutresponse_test.rb b/test/slo_logoutresponse_test.rb
@@ -83,6 +83,21 @@ class SloLogoutresponseTest < Minitest::Test
       assert_match /Destination='http:\/\/unauth.com\/logout\/return'/, inflated
     end
 
+    describe "playgin with preix" do
+      it "creates request with ID prefixed with default '_'" do
+        request = OneLogin::RubySaml::SloLogoutresponse.new
+
+        assert_match /^_/, request.uuid
+      end
+
+      it "creates request with ID is prefixed, when :id_prefix is passed" do
+        OneLogin::RubySaml::Utils::set_prefix("test")
+        request = OneLogin::RubySaml::SloLogoutresponse.new
+        assert_match /^test/, request.uuid
+        OneLogin::RubySaml::Utils::set_prefix("_")
+      end
+    end
+
     describe "signing with HTTP-POST binding" do
 
       before do